 when provided the right passphrase or key, in memory.){kind=link}
Introduction
This program will execute XOR encrypted ciphertext (Python code) when provided the right passphrase or key, in memory. In this example, the encrypted code outputs, “Hello, lets go to google.com.” to the terminal. It then creates a connection to google.com and retrieves the homepage using urllib3.request. The Python code is only decrypted in memory, so if the script were discovered, the ciphertext will prevent anyone without the correct key from viewing the instructions.
What is XOR encryption?
Think of your Python instructions as strings of zeros and ones. Each zero or one represents a bit of information. XOR (Exclusive OR) is a special operation that compares these strings bit by bit:
- If both bits are the same (0 and 0, or 1 and 1), the result is 0.
- If the bits are different (0 and 1, or 1 and 0), the result is 1.
To encrypt, you “XOR” your Python code with a key, meaning the operation performs this bitwise comparison for every corresponding bit in the Python code. This results in a scrambled version of the Python code or a “ciphertext.”
Decrypting is simple: you perform the same XOR operation again with the same key. Since XOR is its own inverse, the scrambled bits are flipped back to their original state and the secret Python code is then processed and run with exec().
In this script (pyxor.py), the software retrieves the Python code ciphertext that has been provided, then decrypts this code in memory, and then runs the decrypted code stored in memory.
A corresponding Python file (xor_encrypt.py) is provided so that a user can encrypt Python instructions into a bytearray payload. This payload is provided to “pyxor.py”.
Usage Summary
python xor_encrypt.py <key>
> python xor_encrypt abc123The plaintext code provided in the xor_encrypt.py file looks like:
b'''import urllib.request
print("Hello, lets go to google.com.")
print(urllib.request.urlopen("https://google.com").read().decode())'''Notice that this script will print “Hello, lets go to google.com” and then download the google.com homepage.
This “xor_encrypt.py” script is used to encrypt the plaintext Python instructions that are provided. The resultant ciphertext for our prior instructions, stored in a bytearray, is:
b"\x08\x0f\x13^@GA\x17\x11]^Z\x03L\x11TCF\x04\x11\x17;BA\x08\x0c\x17\x19\x10{\x04\x0e\x0f^\x1e\x13\r\x07\x17B\x12T\x0eB\x17^\x12T\x0e\r\x04]W\x1d\x02\r\x0e\x1f\x10\x1ak\x12\x11X\\GI\x17\x11]^Z\x03L\x11TCF\x04\x11\x17\x1fGA\r\r\x13T\\\x1bC\n\x17EB@[MLV]\\\x06\x0e\x06\x1fQ\\\x0c@J\x1f@V\x00\x06K\x18\x1cW\x04\x01\x0cUW\x1bHK"Placing this code in the “pyxor.py” class variable “self.code” and running pyxor.py with the appropriate passphrase reveals the following instructions were executed from memory:
> python .\pyxor.py abc123
Hello, lets go to google.com.
<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/
...Notice that the “Hello” string is printed and that the webpage (https://google.com) is then downloaded and printed to the screen.
Full Code
pyxor.py
import sys
class Xor:
def __init__(self):
self.code = bytearray(
b"\x08\x0f\x13^@GA\x17\x11]^Z\x03L\x11TCF\x04\x11\x17;BA\x08\x0c\x17\x19\x10{\x04\x0e\x0f^\x1e\x13\r\x07\x17B\x12T\x0eB\x17^\x12T\x0e\r\x04]W\x1d\x02\r\x0e\x1f\x10\x1ak\x12\x11X\\GI\x17\x11]^Z\x03L\x11TCF\x04\x11\x17\x1fGA\r\r\x13T\\\x1bC\n\x17EB@[MLV]\\\x06\x0e\x06\x1fQ\\\x0c@J\x1f@V\x00\x06K\x18\x1cW\x04\x01\x0cUW\x1bHK")
def xor(self, key):
result = bytearray()
for i in range(len(self.code)):
data_byte = self.code[i]
key_byte = key[i % len(key)] # Cycle through the key
ciphertext = data_byte ^ key_byte
result.append(ciphertext)
return result
def main() -> None:
globals_dict = {}
locals_dict = {}
key = ''
try:
key = sys.argv[1].encode()
except IndexError:
print(f"[!] Please provide the secret passphrase as the only argument.")
sys.exit(1)
xor = Xor()
try:
exec(xor.xor(key), globals_dict, locals_dict)
except SyntaxError:
print(f"Wrong passphrase.")
sys.exit(1)
if __name__ == "__main__":
main()
xor_encrypt.py
import sys
def xor(key, code):
result = bytearray()
for i in range(len(code)):
data_byte = code[i]
key_byte = key[i % len(key)] # Cycle through the key
ciphertext = data_byte ^ key_byte
result.append(ciphertext)
return result
def main() -> None:
code = b'''import urllib.request
print("Hello, lets go to google.com.")
print(urllib.request.urlopen("https://google.com").read().decode())'''
try:
key = sys.argv[1].encode()
except IndexError:
print(f"[!] Please provide the secret passphrase as the only argument.")
sys.exit(1)
print(xor(key, code))
if __name__ == "__main__":
main()
Other Thoughts
You could probably add a bunch of junk code to fluctuate the length of the ciphertext to help prevent anyone from gleaming the true length of instructions.